PF enabled gateway: can't ping the outside world, can't show routing table

[ronjns]

Hello all,

So I got this PF with NAT running on FreeBSD 9 RELEASE, together with pppoe and dhcpd. Physical setup as following:

ISPmodem --- FreeBSD 9 with pf --- switch --- localbox

All went well, traffic flows from localboxes to the internet and vice versa, but I can't ping the internet (i.e. http://www.google.com) and netstat -r shows empty table? Only if I disable pf then I can ping the internet and the routing table reappearz. Did I miss anything?

moon# ping www.google.com
^C
moon# netstat -r
Routing tables

Internet:
Destination        Gateway            Flags    Refs      Use  Netif Expire
^C
moon# pfctl -d
No ALTQ support in kernel
ALTQ related functions disabled
pf disabled
moon# 
moon# 
moon# 
moon# ping www.google.com
PING www.l.google.com (74.125.128.106): 56 data bytes
64 bytes from 74.125.128.106: icmp_seq=0 ttl=51 time=14.748 ms
64 bytes from 74.125.128.106: icmp_seq=1 ttl=51 time=13.375 ms
64 bytes from 74.125.128.106: icmp_seq=2 ttl=51 time=16.259 ms
^C
--- www.l.google.com ping statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 13.375/14.794/16.259/1.178 ms
moon# netstat -r
Routing tables

Internet:
Destination        Gateway            Flags    Refs      Use  Netif Expire
default            x.x.x.x UGS         0     4045   tun0
x.x.x.x link#5             UHS         0        0   tun0
n119237148105.netv link#5             UHS         0        0    lo0
localhost          link#3             UH          0        0    lo0
192.168.2.0        link#2             U           0     7643    em1
moon               link#2             UHS         0        0    lo0

Internet6:
Destination        Gateway            Flags      Netif Expire
::                 localhost          UGRS        lo0
localhost          localhost          UH          lo0
::ffff:0.0.0.0     localhost          UGRS        lo0
fe80::             localhost          UGRS        lo0
fe80::%em1         link#2             U           em1
fe80::215:17ff:fe2 link#2             UHS         lo0
fe80::%lo0         link#3             U           lo0
fe80::1%lo0        link#3             UHS         lo0
ff01::%em1         fe80::215:17ff:fe2 U           em1
ff01::%lo0         localhost          U           lo0
ff02::             localhost          UGRS        lo0
ff02::%em1         fe80::215:17ff:fe2 U           em1
ff02::%lo0         localhost          U           lo0
moon#

moon# cat /etc/pf.conf
wan="tun0"
lan="em1"
localsubnet=$lan:network

scrub in all

nat on $wan from $localsubnet to any -> ($wan)

block in log on $wan from any to any
pass in log on $lan from $localsubnet to any keep state

 

[SirDice]

Routing table has nothing to do with PF. Nothing you do with PF will prevent the routing table from showing.

The reason it's slow is because it tries to resolve hostnames. Use the -n flag to prevent this.

 

[ronjns]

Thanks SirDice, I tried -n and you're right.

Still, I couldn't ping the outside world from the FreeBSD9-with-pf box. One weekend later I figured out that it uses its WAN as ping packet source address for the outgoing ping packet and PF blocks it (forget about DNS resolution, I use IP address not URL name for the ping below i.e. 74.125.128.106 is http://www.google.com). If I use its LAN as source address like:

moon# ping -S 192.168.2.254 74.125.128.106
PING 74.125.128.106 (74.125.128.106) from 192.168.2.254: 56 data bytes
64 bytes from 74.125.128.106: icmp_seq=0 ttl=51 time=21.710 ms
64 bytes from 74.125.128.106: icmp_seq=1 ttl=51 time=16.462 ms
64 bytes from 74.125.128.106: icmp_seq=2 ttl=51 time=23.001 ms
^C

then it pings no problem! So I had to add the following rule to allow packets originating from this box through:

pass out log on $wan from $wan to any keep state

Is this PF's normal behaviour? Thanks in advance all.